December 01, 2004

2005 - The Year of the Snail

So if 2004 depressingly swims past us as the Year of the Phish, what then will 2005 bring?

Worse, much worse. The issue is this: during the last 12 months, the Internet security landscape changed dramatically. A number of known, theoretical threats surfaced, became real, and became institutionalised. Here's a quick summary:

Viruses started to do more than just replicate and destroy: they started to steal. The first viruses that scanned for valuable information surfaced, and the first that installed keyloggers that targetted specific websites and banking passwords. Just this week, the first attack on the root list of SSL browsers was being tracked by security firms.

Money started to be made in serious amounts in phishing. This then fed into other areas, as phishers *invested* their ill gotten gains, which led to the next development:

Phishers started to use other techniques to gather their victims: viruses were used to harvest nodes for spam that were used to launch phishing attacks. Integration across all the potential threats was now a reality.

DDOS, which seemed to seriously take off in 2002, became a serious *extortion* threat to larger companies in 2004. Companies that had something to lose, lost.

In 2004, it now became clear that we were no longer dealing with a bunch of isolated hackers who were doing the crack as much to impress each other as to exercise their own skills. There is now a market phase for every conceivable tool out there, and mere hackers do not purchase the factors of their production.

Malware, spyware, and any other sort of ware turned up as infesting average PCs with Windows at numbers quoted as 30 per machine. And this was just the mild and benign stuff that reported your every browse for marketing purposes.

Microsoft were shown to be powerless to stem the tide. Their SP2 mid-life update caused as many problems as it might have solved. No progress was discernable overall, and 2004 might be marked as the year when even the bubble headed IT media started questioning the emporer's nakedness.

How can I summarise the summary in one pithy aphorism? For most intents and purposes, the Internet was secure for Windows users until about 2004. From 2005 onwards, the Internet is not secure for Windows users. Are you depressed, yet?

2005 will be the Year of the Snail. Your machine will move slowly and slipperily to a fate that you can't avoid. The security of the Windows system on which the vast majority of the net depends for its leaf nodes will repeat the imagery of a snail's house. Ever toiling, slithering slowly across the garden with an immense burden on its back, and ever fearful of approaching predator. The snail is quick to retreat into its house, but all to no avail, as that crunching sound announces that your machine just got turned into more phish compost.

I had hoped - foolish, I know - that Firefox and the like would have at least addressed the phishing threat by now. But now we are fighting a two fronts war: phishing attacks the browser's security model and UI, while all the rest attacks the Windows platform.

It's really easy to offer a solution: download Firefox, and buy a Mac. But this is like asking a snail to become a hedgehog; it is simply out of the budget of way too many users to rush out and buy a Mac. Those that can do so, do so!

Those that cannot, prepare for the Year of the Snail. And check in with us in a year's time to see how the two fronts war is going. The good news is that statistically, a few snails always survive to populate the garden for the next year. The bad news is that it will decidedly take more than a year for your house to evolve away from the sound of the crunch.

Iang ... what about linux? What about the stuff that Venkat sells .... FMware allowing dual booting etc ... I appreciate that it may be selfish to expect a direct reply but it would be interesting to read about in one of your future notes. (thanks for subscribing me ...).
Darren.

all that stuff is irrelevant to the big picture, simply because the mass market doesn't buy that stuff. Most users, in excess of 90%, use Windows because they don't want to do anything but use the simplest possible solution.

For these users, the mass of the market, the Mac is the only other game in town. It's the only system that caters to non-computer literate people, and the only one that also offers things like Microsoft Word.

The end is near as far as Microdudle goes because it has become the most complexed and unrewarding experience in the marketplace. As soon as people can they will switch to Apple because it works and does not require 30mb patches. Phishing is of course the major game being played as far as rip offs go outside of Microdudle. IBM created Microdudle and they have adopted Linux as their game plan. Linux is hard to work with for idiots like myself but Apple fills the void. As Ipod exposes more consumers to Apple the road to a marketing coupe has been paved. Apple will become the largest operating system quickly because the replacement of amortized desktops has peaked and the replacement cycle is coming due. The choice between something that works and something that does not makes it simple Microdudle no longer works because of its failure to adopt security into its designs. Apple is a UNIX based system that has lots of well educated support people that acutally talk to each other and know what they are taking about. This expert talk floats the boa of idiots like myself. The stroking of checks on the part of corporate buyers will not be in Microdudles favor they have destroyed the trust required to maintain the relationship. If for example you corporate situations where well trained and heavily supported infrastructures cannot stay open because of Microdudle then they will not be replacing it with Microdudle. Regardless of what percentage of desktops Microdudle now claims they will not be the way forward. Phishing was the tip of an iceberg as far as violating trust the Microdudle SP2 patch was the death of their monopoly and the dawn of Apples dominance in the consumer sectora and Linux in the commercial sector.

I've used Microsoft software for a while and I've never gotten a virus, worm or any spyware or adware. SP2 has been a big help in this regard. It's true that it has broken some applications but on the security front it has been a big improvement. Presumably there will be an SP3 in 2005 and things will get even better.

As far as stealing passwords and such, what we really need is Palladium, which will allow each application to create a secure vault for storing its secrets. But that won't be ready by 2005, thanks largely to the backlash from the privacy community.

Microsoft has the power to greatly improve the security situation, and it has the economic incentive to do so as well. SP2 shows what Microsoft can do. Yes, it had problems, but Microsoft bit the bullet, broke things, and put it out anyway because it fixed bugs and improved security.

It has taken time for Microsoft to respond to the increased need for security; a company its size doesn't turn on a dime. But it is turning and the security situation is changing as a result. The security community is living in the past if they don't see Microsoft's improve security posture as the most important factor for 2005.

SP2, etc is obviously part of the equation, and there is no doubt that a newly installed SP2 installation is mostly secure, for now. But, it takes a long long time for something like SP2 to roll out, and that's the issue: forget whether any particular software solves this in practice or in theory and look at the big (economics) picture.

It's pretty clear that in 2006 there will still be lots of machines not running SP2. So the problem will still exist. No matter how many times the supporters say "install SP2" the mass of the market place simply doesn't do it. This of course is why upgrades are becoming automated, but again, it will take a few years to roll that out.

In the meantime, we have a serious problem. The net has a serious problem. The notion that this is going to significantly change in 2005 - on the scale of the net - is hard to see. Fundamental shifts in software just don't happen that fast.

Ian, You are right on. I'm going to link this article and take the liberty of quoting some of it on my site.

Darren, you are right, rayservers.com was created in anticipation of these events. Those that have followed computers for a while know this is coming.

It just surprises me that no big players have taken the approach that we have - sell Linux and support legacy Windows via VMware - I hope to see interest in that approach as viruses get nastier.

Linux has gotten very usable these days. We don't need Apple to take a UNIX core (BSD) and make it useable - Linux is plenty useable - the pieces that were missing - OpenOffice and Firefox are getting mature... you can even run Linux on a Mac, with Mac OS X inside it and Windows inside the OSX inside Linux!!